Privacy Commissioner’s Office has Completed
Compliance Checks on 60 Organisations to Ensure AI Security

With the use of Artificial Intelligence (AI) becoming increasingly prevalent, more and more organisations use AI in their operations. Nevertheless, the privacy and security risks associated with AI should not be overlooked. To understand the usage of AI in Hong Kong and its impact on personal data privacy, the PCPD carried out compliance checks on 28 local organisations from August 2023 to February 2024 and provided practical recommendations to organisations which developed or used AI¹.
 
To implement the policy direction from the “Two Sessions” to promote the “AI Plus” Initiative and the Hong Kong Innovation and Technology Development Blueprint promulgated by the Government of Hong Kong Special Administrative Region, as well as to promote the safe and healthy development of AI in Hong Kong, the PCPD has begun a new round of compliance checks in February 2025. The compliance checks covered 60 local organisations (Organisations) across various sectors, including telecommunications, banking and finance, insurance, beauty services, retail, transportation, education, medical services, public utilities, social services and government departments, and aim to understand whether the Organisations complied with the relevant requirements of the Personal Data (Privacy) Ordinance (PDPO) in the collection, use and processing of personal data during the use of AI. Meanwhile, the compliance checks also examined the Organisations’ implementation of the recommendations and best practices provided in the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) published by the PCPD in 2024, as well as their governance as regards the use of AI. Based on the findings of the compliance checks, the PCPD published a report on 8 May and has the following major observations as regards the Organisations’ data protection practices when they used AI (see Annex for details):

• 48 organisations (80%) used AI in their day-to-day operations, indicating a 5% increase compared to the compliance checks carried out in 2024. Among these, 42 organisations (approximately 88%) had been using AI for over a year;
   
• Among these 48 organisations, 26 (approximately 54%) of them used three or more AI systems. These AI systems were primarily applied in areas such as customer service, marketing, administrative support, compliance/risk management, and research and development, etc.;
   
• Among these 48 organisations, 24 (50%) of them collected and/or used personal data through AI systems. They provided data subjects with Personal Information Collection Statements on or before the collection of personal data, which specified the purposes for which the data was to be used, as well as the classes of persons to whom the data might be transferred, etc.;
   
• Among the 24 organisations, 19 (about 79%) of them retained the personal data collected through AI systems and specified the retention periods for personal data. They would delete the personal data after achieving the original purposes of collection. The remaining five organisations (approximately 21%) did not retain the personal data collected through AI systems;
   
• All organisations reviewed which collected and/or used personal data through AI systems implemented appropriate security measures to ensure that the personal data held by them in the course of using AI systems was protected. These measures included access control, penetration testing, encryption of data and anonymisation of personal data, etc. Among these, seven organisations (around 29%) also activated AI-related security alerts and conducted red teaming drills;
   
• Among the 24 organisations, 23 (about 96%) of them conducted tests prior to the implementation of AI systems to ensure their reliability, robustness and fairness. Additionally, 20 organisations (about 83%) conducted privacy impact assessments prior to the implementation of AI systems;
   
• Among these 24 organisations, 22 (approximately 92%) of them formulated data breach response plans to address contingencies. Among these, seven organisations (around 32%) specifically addressed AI-related data breach incidents in their response plans;
   
• Among the 24 organisations, 15 (approximately 63%) of them made reference to the guidelines/advice on AI published by the PCPD regarding the collection, use and processing of personal data through AI systems. These included the Model Framework, “10 Tips for Users of AI Chatbots” and “Guidance on the Ethical Development and Use of Artificial Intelligence”. Additionally, seven organisations (about 29%) planned to make reference to the aforesaid guidelines; and
   
• Among these 24 organisations, 19 (about 79%) of them established AI governance structures, such as setting up AI governance committees and/or appointing designated personnel to be responsible for overseeing the use of AI systems.

The PCPD has now completed the compliance checks and found no contravention of the PDPO during the compliance check process.
 
In addition to making reference to the Model Framework, the PCPD also encourages organisations to refer to the “Checklist on Guidelines for the Use of Generative AI by Employees” issued by the PCPD to help them develop internal policies or guidelines on the use of generative AI (Gen AI) by employees at work and comply with the relevant provisions of the PDPO. Through this compliance check exercise, the PCPD would like to provide the following recommended measures to organisations that develop or use AI:

• If an organisation collects or processes personal data in the development or use of AI, it should adopt measures to ensure compliance with the relevant requirements of the PDPO, as well as monitor and review AI systems on a continuous basis;
   
• Establish a strategy for the development or use of AI and an internal AI governance structure, and provide adequate training to all relevant personnel. In addition, organisations should formulate an AI incident response plan to monitor and address incidents that may inadvertently occur; 
   
• Conduct comprehensive risk assessments (including privacy impact assessments) to systematically identify, analyse and evaluate the risks, including privacy risks, in relation to the development or use of AI, and adopt appropriate risk management measures that are commensurate with the risks. For instance, a higher level of human oversight should be adopted for AI systems with a higher risk profile;
   
• Conduct internal audits (and independent assessments as necessary) of AI systems on a regular basis to ensure system security and data security, and that the development or use of AI continues to comply with the requirements of the organisation’s policies, including its AI strategy; and
   
• Communicate and engage effectively with stakeholders to enhance transparency in the use of AI, and fine-tune AI systems in a timely manner in response to feedback from stakeholders.

Please click here to download the report.

Please click here to refer to the Annex. 

¹ https://www.pcpd.org.hk/english/news_events/media_statements/press_20240221.html

The PCPD will organise the “Privacy Awareness Week (PAW) 2025” from 9 to 15 June. PAW is an annual event jointly supported by members of the Asia Pacific Privacy Authorities (APPA) to raise public awareness of protecting and respecting personal data privacy. This year the PCPD will organise the PAW under the theme of “AI Security Matters for All” with a series of activities, including the thematic trams for roving promotions, a newly launched “AI Security” thematic website, and a series of thematic seminars, all aimed at increasing awareness of safeguarding personal data privacy when using AI. Please stay tuned for more details.

PRIVACY 101

Best Practices for Collecting and Using Biometric Data in the Age of AI

Over the years, the application of biometric data has become increasingly prevalent across various industries. Many sectors are leveraging this technology to optimise user experiences, enhance services, and improve efficiency. For instance, financial institutions utilise facial recognition for secure transactions, while healthcare providers employ biometric identifiers to bolster patient safety.

In the age of AI, data is an invaluable asset, as it can be processed to train models. The greater the volume of data used, the more accurate the results produced. Biometric data is no exception. By definition, biometric data includes the physiological data with which individuals are born with, such as DNA samples, fingerprints, and facial images, as well as behavioural data developed after birth, including handwriting patterns, typing rhythms, gait, and voice patterns. These data types can significantly contribute to AI training by improving recognition algorithms and personalisation features.

Regardless of the type, biometric data is inherently sensitive personal data, as individuals cannot simply “reset” their biometric identifiers if they are leaked. Therefore, organisations must exercise extra caution when collecting and using biometric data for business purposes.

Here are some noteworthy principles and measures for biometric data collectors and users, aimed at reinforcing the protection of personal data:

• Assessing Necessity and Proportionality: Data users should ensure that the collection of biometric data is for a lawful purpose related directly to their functions and activities;.
• Conducting Privacy Impact Assessment (PIA): Organisations intending to collect biometric data are encouraged to conduct a PIA, a systematic process that evaluates a proposal in terms of its impact on personal data privacy. Key considerations during this assessment should include the necessity of collecting biometric data, identifying the least intrusive option, determining whose biometric data should be collected, and defining the extent of data to be collected;
  
• Ensuring Transparency, Explainability and Informed Choices: Data subjects should be provided with free and informed choices upon collection of their biometric data, along with a full explanation of the personal data privacy impact of the collection. Data users are also responsible for ensuring data subjects understand whether providing such data is voluntary or obligatory, as well as the reasons for using biometric systems to achieve stated objectives, etc.; and
  
• Ensuring Data Minimisation, Accuracy and Security: The level of privacy concerns varies with the amount of biometric data to be collected. Therefore, only the minimum necessary biometric data should be collected to achieve a purpose. Data users are required to take all reasonable steps to ensure the accuracy of the personal data held, as inaccuracies can lead to adverse actions against individuals. Given the sensitivity of biometric data, it is crucial that organisations implement effective security measures to safeguard against data breaches and theft. For example, the information and communications systems used to store and process biometric data should be carefully and regularly evaluated to ensure that sufficiently effective security and privacy-protective measures are in place, and biometric data should be encrypted at rest (in storage) and in transit.

To learn more about the best practices in collecting and using biometric data, please refer to the “Guidance on Collection and Use of Biometric Data”.

PRIVACY COMMISSIONER’S FINDINGS

Use of Camera with Facial Recognition Function for Attendance Recording and Security Purpose

The Complaint

The complainant was a teacher. He was dissatisfied that his employer, a school, installed a camera with facial recognition function at the school entrance for attendance recording and security purpose without his knowledge and consent.

Outcome

For collection of biometric data, the PCPD is of the view that biometric data is sensitive data and data users must first consider the necessity of collecting such data. Data users must consider whether it is feasible to collect less sensitive data to achieve the same purpose. The means of collection must be fair in the circumstances, so data users have the obligations to ensure that data subjects are given a free and informed choice to choose whether to have their biometric data collected.

In this case, the PCPD learnt that for security purpose, a closed-circuit television system was installed at the school entrance with a security guard stationed there. For attendance recording purpose, teachers were required to use access cards to enter and leave the school. The PCPD also noted that the school did not give its employees a free and informed choice on the collection of their images by the camera.

Although the school stated that the installation of the camera was just for initial testing and the camera was subsequently removed, the PCPD considered that the school still needed to comply with the privacy protection requirements on handling biometric data. The PCPD strongly advised the school to consider whether there are any less privacy intrusive alternatives to the collection of employees’ biometric data in future and formulate privacy policies for compliance with the PDPO.

Lessons Learnt

In the digital era, the technology of using AI to identify individuals is getting more sophisticated. Many employers may wish to use the technology for enhancing security and facilitating staff monitoring. Biometric data (e.g. DNA samples, fingerprints, facial features, etc.) is unique and immutable, and when the data is consolidated and analysed, a particular individual can be uniquely identified, so it is regarded as personal data under the PDPO and is regulated by the PDPO.

In this case, if the employer simply wants to enhance security and facilitate monitoring of employees’ attendance, the employer should first consider adopting other less privacy intrusive alternatives to the collection of biometric data. If employers do not adopt these alternatives, they must have overriding reasons to justify the collection of biometric data and provide their employees with a choice to allow such collection or handling of their biometric data. Based on the principles of enhancing transparency and explainability, employers should inform all the affected employees of the collection of biometric data in a simple and easily understandable way. Trust with employees can then be built.

Undoubtedly, technologies and AI bring forth benefits and convenience. However, when the technologies involve collection or use of personal data, data users must carefully strike a balance between the benefits and protection of personal data privacy. While technologies are used to facilitate businesses, individuals’ privacy right should also be respected.

TECH TALK

Protect Your Digital Identity in an AI-Driven World

In the fast-evolving digital landscape, the concept of digital identity is constantly redefined. As AI reshapes how we interact with technology, it also transforms our understanding and management of digital identities. Today, digital identity is much more than just a username and password; it represents who we are online, for example, our credentials, behaviours, and interactions across various digital platforms

This means that your digital identity includes not only your social media profiles but also all the information you share online, such as your personal details on shopping websites, your browsing history and interactions in online forums.

However, the rise of AI has introduced new risks to digital identity, including deepfakes, which can misrepresent individuals; identity fraud, where someone steals your information to impersonate you; and data mining, which involves the unauthorised collection and analysis of personal data. Additionally, vulnerabilities in AI-driven identity verification processes can be exploited, and social engineering attacks
manipulate individuals into disclosing sensitive personal data. These growing threats make securing digital identity more challenging than ever.

Here are some tips to help you protect your digital identity in an AI-driven world:

• Use two-factor or multi-factor authentication to enhance account security;
• Set unique and strong passwords for different online services;
• Think twice before disclosing personal and sensitive information to avoid phishing attack;
• Do not allow browsers to save your passwords on non-personal devices. Always log out of online accounts immediately after use;
• Delete accounts no longer in use to prevent unauthorised access; and
• Stay vigilant about notifications of suspicious account activities or transactions issued from service providers, and promptly seek assistance from them if in doubt.

WHAT’S ON

Telling a Good Hong Kong Story – Privacy Commissioner Meets with Director of Personal Data Protection Bureau of Macao

Mr Ken YANG Chongwei, the Director of the Personal Data Protection Bureau of Macao (PDPB), led a delegation to visit the PCPD on 21 May and met with Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD.

During the meeting, the parties shared the latest initiatives and strategic priorities of the two authorities and exchanged views and experiences on various aspects of personal data privacy protection, including the orderly cross-boundary flow of personal data between Hong Kong and Macao, as well as within the Guangdong-Hong Kong-Macao Greater Bay Area (Greater Bay Area).

The PCPD and the PDPB reaffirmed their commitment to close collaboration, with the aim of further strengthening their ties and jointly contributing to the development of the Greater Bay Area.

Promoting AI Security – Privacy Commissioner Publishes an Article entitled “Companies Must Take the Initiative on Safe AI Practices” and Interviewed by Media

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Companies Must Take the Initiative on Safe AI Practices”.
 
In the article, the Privacy Commissioner noted that Hong Kong is  proactively developing its AI industry. However, with an increasing number of organisations leveraging Gen AI to enhance their competitiveness and drive digital transformation, the use of Gen AI by employees without proper guidance not only poses personal data privacy risks, but may also jeopardise the organisation’s own interests.
 
The Privacy Commissioner also pointed out that in order to facilitate the safe and healthy development of AI in Hong Kong, the PCPD published the “Checklist on Guidelines for the Use of Generative AI by Employees” (Guidelines) in March 2025. The Guidelines aim to assist organisations in developing internal policies or guidelines on the use of Gen AI while complying with the relevant requirements of the PDPO.
 
The article was published in South China Morning Post, Ta Kung Pao, Sing Tao Daily, HK01, Hong Kong Economic Journal, Hong Kong Economic Times and Ming Pao on 22 May.
 
In addition, the Privacy Commissioner was interviewed by RTHK Radio 3’s “Backchat” on the same day to explain how the Guidelines published by the PCPD assist organisations to develop policy on the use of AI.

Please click here to read the article in Chinese.
Please click here to read the article in English.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Urge Caution against Fake Neighbour Scams

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000”, CRHK’s “On a Clear Day” and Now News’ “News Magazine” on 20 May. She appealed to members of the public to be cautious of fake neighbour scams and shared anti-fraud tips to raise their awareness.
 
During the interviews, the Privacy Commissioner noted the emergence of a new type of fraudulent trick, in which residents in different housing estates across Hong Kong have received SMS messages purporting to be from their neighbours, complaining about issues such as water seepage or noise, and asking the residents to contact them via instant messaging applications. The affected districts include Tai Wai, Ma On Shan, Tsim Sha Tsui, etc. The PCPD has received six related enquiries and complaints since March 2025.
 
The Privacy Commissioner pointed out that fraudsters might obtain individuals’ telephone numbers through different channels and reminded the public that in general, estate management offices would not disclose personal data of the residents to third parties. She advised members of the public to contact their estate management offices to make enquiries or seek verification if they receive any suspicious SMS messages, and they should avoid disclosing personal data to others arbitrarily. She also invited the public to make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk).
 
The interview by RTHK Radio 1’s “HK2000” can be listened here (Chinese only).
The interview by Now News’ “News Magazine” can be viewed here (Chinese only).

Reporting to Legislative Council – Privacy Commissioner Attends Meeting of the Legislative Council Panel on Constitutional Affairs

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the meeting of the Legislative Council Panel on Constitutional Affairs on 19 May to brief Members on the protection of personal data privacy in the age of AI.

In the meeting, the Privacy Commissioner pointed out that AI security is a key aspect of national security and a cornerstone of Hong Kong’s future economic development. The PCPD has been proactively promoting the safe and healthy development of AI. At the local level, the PCPD has published a series of guidance materials and leaflets related to AI, including the recently issued Guidelines. The PCPD also completed compliance checks on 60 organisations from February to May this year regarding their use of AI.

On the international front, the PCPD has served as the co-chair of the Ethics and Data Protection in Artificial Intelligence Working Group of the Global Privacy Assembly since October 2024, with a view to continuously facilitating exchanges and cooperation with international counterparts.

Please click here for the Privacy Commissioner’s opening remarks (Chinese only).
Please click here for the Privacy Commissioner’s presentation deck (Chinese only).
Please click here for the paper submitted by the PCPD to the Legislative Council Panel on Constitutional Affairs.

Fulfil Civic Responsibility – Privacy Commissioner Calls for Colleagues to Actively Register as Voters and Exercise their Voting Rights

The Legislative Council General Election will be held on 7 December (Sunday), and the 2025 Voter Registration Campaign is currently under way.

Privacy Commissioner Ms Ada CHUNG Lai-ling appealed to the PCPD colleagues and their family members and friends to actively register as voters on or before the statutory deadline of 2 June, and to cast their votes in the upcoming election to fulfil their civic responsibility.

Eligible individuals who have not yet registered as voters are advised to submit their registration applications to the Registration and Electoral Office (REO) on or before the statutory deadline of 2 June. Registered voters with changes in their residential address or other registration particulars should also submit applications for change of particulars to the REO on or before 2 June.

Promoting AI Security – Privacy Commissioner Meets with Representatives of the Hong Kong Federation of Trade Unions

Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD met, upon invitation, with Legislative Council (LegCo) Members Hon KWOK Wai-keung, BBS, JP and Hon Dennis LEUNG Tsz-wing, MH of the Hong Kong Federation of Trade Unions (HKFTU), Vice Chairman of HKFTU and Chairman of I.T. People Association of Hong Kong, Mr LEE Kwong-yu, MH and other representatives of the HKFTU on 14 May to exchange views on the Guidelines recently published by the PCPD.

In the meeting, representatives of the PCPD explained the content of the Guidelines in detail, and were glad to note that the “Proposal on Protecting Employee Rights and Promoting Responsible AI Application” (Proposal) issued by the HKFTU considers the PCPD’s publications on AI as a precursor to future AI regulatory requirements. The PCPD also welcomes the Proposal’s call for all organisations to refer to the Model Framework to establish an AI governance structure and make reference to the Guidelines when formulating internal AI policies or guidelines for employees’ use of generative AI.

The PCPD is keen to collaborate with different industries to assist them in better understanding the contents of the Model Framework and the Guidelines. The PCPD will continue to promote the relevant content to the public, including employees, and will regularly review and update the relevant guidance published by the PCPD on AI.

If organisations and members of the public encounter any questions relating to personal data protection when they develop or use AI, they can call the PCPD’s “AI Security Hotline” at 2110 1155 for enquiries.

Promoting AI Security – Privacy Commissioner Publishes an Article on Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Fostering AI Security: The New Checklist on Guidelines for the Use of Generative AI by Employees” on Hong Kong Lawyer.
 
In the article, the Privacy Commissioner highlighted that the Country has all along placed equal emphasis on the development and security of AI. To facilitate the safe and healthy development of AI in Hong Kong, the PCPD published the Guidelines in March this year, which aim to assist organisations in developing internal policies or guidelines on the use of generative AI by employees at work while complying with the requirements of the PDPO.
 
In addition, the Privacy Commissioner provided an overview of the recommendations and practical tips included in the Guidelines. She also encouraged organisations to adopt the Guidelines and the Model Framework published by the PCPD earlier to devise an AI policy proactively, enabling their employees to use AI effectively, responsibly and safely.
 
Please click here to read the article.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain How the Use of AI Affects Personal Data Privacy

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” on 12 May to explain the results of the compliance checks conducted by the PCPD on 60 organisations regarding their use of AI from February to May 2025.
 
The Privacy Commissioner said that the compliance checks covered organisations across various sectors and aimed to understand whether the organisations complied with the relevant requirements of the PDPO in the collection, use, and processing of personal data in the use of AI. The results showed that the organisations are prudent in their use of AI and have implemented appropriate measures to ensure data security.
 
The Privacy Commissioner reminded organisations of the importance of complying with the requirements of the PDPO when using AI for the processing of personal data, as well as formulating strategies for the development or use of AI and establishing internal governance structures for AI. She also encouraged organisations to make reference to the Guidelines issued by the PCPD to devise their internal AI policies.

The interview by RTHK Radio 1’s “HK2000” can be listened here (Chinese only).

Reaching Out to the Media Sector – Privacy Commissioner Attends the Hong Kong News Awards 2024 Presentation Ceremony cum Luncheon

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Hong Kong News Awards 2024 Presentation Ceremony cum Luncheon on 9 May to congratulate the award winners.
 
The Hong Kong News Awards, organised by the Newspaper Society of Hong Kong, aims to recognise the achievements of outstanding media practitioners and to enhance the professionalism of the industry. The Hong Kong News Awards 2024 presents a total of 78 awards in four categories, including reporting section, writing section, photographic section and design section.

Implementing Spirit of “Two Sessions” – PCPD Convenes Sharing Session on Spirit of “Two Sessions”

The PCPD convened a sharing session on the spirit of the “Two Sessions” on 6 May. Privacy Commissioner Ms Ada CHUNG Lai-ling hosted the session, with HKSAR member of the National Committee of the Chinese People's Political Consultative Conference (CPPCC), Ms Melissa Kaye PANG, BBS, MH, JP, speaking as a guest speaker. The session was held to enable colleagues of the PCPD to gain a deeper understanding of the essence of the “Two Sessions”.

Ms Pang shared the key contents of the Report on the Work of the Government and her first-hand experience of attending the “Two Sessions” in person. The Privacy Commissioner expressed her appreciation for Ms Pang’s sharing, which deepened the attendees’ understanding of the spirit of the “Two Sessions”. The Privacy Commissioner elaborated on how the PCPD implements the spirit of the “Two Sessions” from three perspectives, namely promoting the safe development of AI, facilitating the cross-boundary flow of personal information within the Guangdong–Hong Kong–Macao Greater Bay Area and strengthening international exchanges and cooperation.

The Privacy Commissioner pointed out that the “Two Sessions” is of great importance to Hong Kong. They provide clear guidance for Hong Kong to better capitalise on its advantages under the “One Country, Two Systems” principle and to proactively align with national development strategies. She encourages colleagues of the PCPD to continuously strive to implement the spirit of the “Two Sessions” in their daily work and contribute towards the high-quality development of the Country and Hong Kong.

Reaching Out to Schools – PCPD’s Representative Speaks at Secondary School Seminar  

Acting Legal Counsel of the PCPD Ms Dorothy FUNG Hok-ching delivered a presentation on 19 May at a seminar organised by the Hong Kong Press Council as part of the programme “Discussing News and Information with Students and Teachers”. The seminar was held at Lok Sin Tong Ku Chiu Man Secondary School and was attended by nearly 550 teachers and students.

In her presentation entitled “Privacy vs Right to Know”, Ms Fung shared with the participants the privacy-related issues encountered in media work in the digital era and how to protect personal data privacy on social media.

Please click here to download the presentation deck (Chinese only).

Promoting Cross-Boundary Flow of Personal Information – PCPD’s Representative Speaks at the Conference on “Protecting the Digital Consumer in Asia”

Acting Senior Legal Counsel of the PCPD Ms Clemence WONG spoke at a conference entitled “Protecting the Digital Consumer in Asia” on 16 May. The conference was organised by the Centre for Comparative and Transnational Law, Faculty of Law of the Chinese University of Hong Kong.

At the conference, Ms Wong introduced to the participants from the higher education and legal sectors the terms of the “Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong)” and the relevant requirements for cross-border transfers of personal data under the PDPO.

Please click here for the presentation deck.

Telling a Good Hong Kong Story – PCPD Staff Member Awarded Bronze Medal at the 5^th Women’s AHF Cup

Ms Yiman CHAN Yi-man, Personal Data Assistant (Compliance) of the PCPD, represented the Women’s Field Hockey team of Hong Kong, China in the 5^th Women’s Asian Hockey Federation (AHF) Cup held in Jakarta, Indonesia from 18 to 27 April and received a bronze medal in the tournament.

The AHF Cup is a quadrennial field hockey tournament organised by the AHF.

Care for the Society – PCPD Volunteer Team Prepares Meal Boxes for those in Need Again

Following last year’s efforts, the Volunteer Team of the PCPD assisted Food Angel again on 27 May in preparing free meals for those in need. The Volunteer Team worked together to process food ingredients and prepared a total of 2,642 meal boxes for the needy ones.
 
Established in 2022, the PCPD Volunteer Team has made multiple visits to elderly centres to raise awareness about fraudulent scams among the elderly. The Volunteer Team also donated anti-epidemic medical supplies to various social welfare organisations during the COVID-19 pandemic. 

Five PCPD Websites Receive “Triple Gold Award” Consecutively under the Digital Accessibility Recognition Scheme 2024-2025

Five websites of the PCPD have received the “Triple Gold Award” consecutively under the Digital Accessibility Recognition Scheme (DARS) 2024-2025. This accolade signifies that the five PCPD websites have received the “Gold Award” for three consecutive years or more. Additionally, the PCPD’s thematic website “Privacy-Friendly Awards”, which was enrolled in the DARS for the first time, also received recognition and won a Gold Award.
 
All six award-winning websites have met the 27 judging criteria for digital accessibility web design. This achievement demonstrates PCPD’s commitment in designing accessible websites which are inclusive to individuals with disabilities and to assist internet users in overcoming digital barriers.

The DARS is organised by the Hong Kong Internet Registration Corporation Limited, with the Digital Policy Office as the co-organiser. This year, the scheme has been renamed from the “Web Accessibility Recognition Scheme” to the “Digital Accessibility Recognition Scheme” to further enhance digital accessibility practices. 

The award-winning PCPD websites are as follows:

MEDIA STATEMENT

A 46-year-old Female Arrested for Suspected Doxxing Arising from Monetary Disputes

The PCPD arrested a Chinese female aged 46 in Kowloon on 20 May. The arrested person was suspected to have disclosed the personal data of the data subject without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim, who is the owner of a number of beauty salons, got acquainted with the arrested person in 2023. Between August and September 2024, the victim and the arrested person signed two contracts, entrusting the arrested person to operate two of the victim’s beauty salons. The remuneration specified in the contracts included bonuses. Later, owing to complaints lodged with the victim against the arrested person, the victim decided to temporarily withhold paying the bonus to the arrested person until the complaints were resolved. A monetary dispute between the victim and the arrested person then ensued.
 
Subsequently in October and November 2024, four messages containing the personal data of the victim were posted in three open discussion groups and a personal account on a social media platform, alongside some negative comments against her. The personal data disclosed included the victim’s partial Chinese name, partial English name, partial Hong Kong Identity Card number, partial residential address, names of her beauty salons and her photos.
 
The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject —
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

PCPD Urges Caution against Fake Neighbour Scams

The PCPD has noted the emergence of a new type of fraudulent trick. Residents in different housing estates across Hong Kong have received SMS messages purporting to be from their neighbours, complaining about issues such as water seepage or noise, and asking the residents to contact them via instant messaging applications. Subsequent verifications by estate management offices confirmed these messages to be fraudulent. Since March 2025, the PCPD has received four related enquiries and two complaints, involving different housing estates in Kowloon and News Territories.

The PCPD understands that the fraudsters impersonated victims’ neighbours and sent SMS messages complaining about water seepage or noise issues in their flats, inducing the victims to respond or engage in further discussions via instant messaging applications. Once the conversations began, the fraudsters would pretend to be interested in developing a relationship with the victims or used other tactics to gain their trust, ultimately aiming to swindle money and/or personal data out of them. Fraudsters might also trick the victims into clicking on suspicious hyperlinks that would lead to fraudulent websites designated to obtain the victims’ personal data.

Privacy Commissioner Ms Ada CHUNG Lai-ling appeals to members of the public to be cautious of the new type of fraudulent trick, particularly fraudulent SMS messages or telephone calls impersonating their neighbours, and to avoid disclosing personal data to others arbitrarily. If members of the public receive suspected fraudulent SMS messages or telephone calls, they should first contact their estate management offices to make enquiries or seek clarification.

The PCPD offers the following tips to the public to safeguard their personal data privacy and to stay vigilant against scams:

1. Be Vigilant: Think twice before providing any personal data, verify the purpose of collection of such data and whether it is necessary to provide them. Avoid disclosing personal data to others arbitrarily, clicking on or scanning suspicious links and QR codes, or logging into any suspicious websites;
2. Authenticate the Identities of Senders: Even if the senders can provide your personal data in their SMS messages, if you are in doubt about their identity, you should verify the authenticity of the senders or relevant organisations through other contact methods;
3. Keep an Eye on Your Accounts and Transaction Records: Regularly check online banking for any unusual log-in activities, unauthorised transfers or transactions in your bank accounts or credit cards;
4. Password Protection: Change the passwords of online banking accounts from time to time and enable two-factor authentication (if available). Never share passwords with anyone;
5. Fraud Prevention Information: Pay attention to the fraud prevention information published by the PCPD, the Police or relevant organisations. Share the information with friends and relatives (especially the elderlies and youngsters) to enhance their awareness of fraud prevention.

Anyone who received suspected fraudulent SMS messages or telephone calls may verify with relevant organisations, or make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk). If there is any suspicion of fraud on personal data which involves criminal offence(s), they should immediately report the case to the Police. Citizens may also visit “Scameter” (https://cyberdefender.hk/en-us/scameter/) to check suspicious phone numbers, email addresses and websites, etc.

MAINLAND CORNER

Highlights of the “Cybersecurity Law (Draft Amendment for Second Public Consultation)”

《網絡安全法（修正草案再次徵求意見稿）》的重點

On 28 March 2025, the Cyberspace Administration of China (CAC) issued the “Cybersecurity Law (Draft Amendment for Second Public Consultation)” (Draft Amendment). This is the second time the CAC solicited public comments on the revision of the Cybersecurity Law since the law came into effect on 1 June 2017¹. The consultation period ended on 27 April 2025.

The proposed amendments focus on revising the types, scope, and extent of administrative punishments. This includes increasing the severity of punishments for serious violations, introducing circumstances for lenient punishments, and ensuring alignment with other related laws such as the Personal Information Protection Law, the Data Security Law, and the Administrative Punishments Law. This article provides an overview of the Draft Amendment.

2025年3月28日，國家互聯網信息辦公室（網信辦）發布《網絡安全法（修正草案再次徵求意見稿）》（《徵求意見稿》）²，這是《網絡安全法》³自2017年6月1日實施以來，網信辦第二次就修改該法律向公眾徵求意見⁴。《徵求意見稿》的意見反饋時間已於2025年4月27日結束。

《徵求意見稿》提出的修改內容主要是修訂行政處罰的種類、範圍及幅度等，包括對後果嚴重的違法行為加大處罰力度；引入從輕處罰的情形；並且與《個人信息保護法》⁵、《數據安全法》⁶及《行政處罰法》⁷等相關法律銜接。

《徵求意見稿》除了提高網絡運營者及關鍵信息基礎設施運營者的罰款上限，對直接負責的主管人員的罰款亦同時提高。篇幅所限，下文只談及針對機構而非人員的罰款。

以分類分級方式加重罰則

《徵求意見稿》以分類、分級的方式制定罰則。針對關鍵信息基礎設施運營者的懲罰往往比起一般網絡運營者嚴厲，而罰款上限亦按照違法行為的嚴重程度分為不同等級。

以網絡運行安全的法律責任為例，根據《徵求意見稿》，若網絡運營者不履行網絡安全保護義務，而且拒不改正或導致危害網絡安全等後果，罰款上限由現行的十萬元⁸增至五十萬元；關鍵信息基礎設施運營者若有同樣程度的違法行為，罰款上限則較高，達到一百萬元。

《徵求意見稿》亦同時根據違法情形的嚴重程度，提出其他更嚴厲的罰則。若造成嚴重危害網絡安全後果（例如造成大量數據洩露、關鍵信息基礎設施喪失局部功能），可處以最高二百萬元罰款；若造成特別嚴重危害網絡安全後果（例如關鍵信息基礎設施喪失主要功能），更可處以最高一千萬元罰款。在這些嚴重情況下，主管部門除了罰款，亦可責令相關運營者停業整頓、關閉網站或應用程序等。

在網絡信息安全的法律責任方面，《徵求意見稿》亦有類似的分級罰則。現行《網絡安全法》規定，若網絡運營者沒有停止傳輸或消除法律、行政法規所禁止發布或傳輸的信息，而且拒不改正或情節嚴重，罰款上限為五十萬元⁹。《徵求意見稿》除了提出將上限提升至二百萬元，同時新增了違法行為「造成特別嚴重影響、特別嚴重後果」可處以高達一千萬元罰款的規定。

銜接《個人信息保護法》及《數據安全法》的規定

鑑於《數據安全法》及《個人信息保護法》對《網絡安全法》多項涉及個人信息和重要數據違法行為的處罰作出了新的專門規定，《徵求意見稿》提出將有關條文¹⁰改為「依照有關法律、行政法規的規定處理、處罰」。相關違法行為包括侵害個人信息，以及關鍵信息基礎設施的運營者在境外存儲或向境外提供個人信息和重要數據。

引入《行政處罰法》從輕、減輕或不予行政處罰的規定

《徵求意見稿》提出新增第七十二條，規定有關主管部門在特定情形下，可依照《行政處罰法》對網絡運營者從輕、減輕或不予行政處罰。這些情形包括「主動消除或者減輕違法行為危害後果」、「違法行為輕微並及時改正且沒有造成危害後果」，以及「初次違法且危害後果輕微並及時改正」，均與《行政處罰法》的規定¹¹相符。

總結

《徵求意見稿》對現行《網絡安全法》的罰則提出了多項重要修訂。今年3月全國兩會期間發布的《全國人民代表大會常務委員會工作報告》¹²已經將修改《網絡安全法》列入今年工作任務，相關各方宜密切留意立法進展。

¹ The CAC issued the first consultation draft in September 2022.

² 全文：https://www.cac.gov.cn/2025-03/28/c_1744779434867328.htm

³ 全文：https://www.gov.cn/xinwen/2016-11/07/content_5129723.htm

⁴ 網信辦曾於2022年9月發布《關於修改〈中華人民共和國網絡安全法〉的決定（徵求意見稿）》以公開徵求意見。全文： https://www.gov.cn/xinwen/2022-09/14/content_5709805.htm

⁵ 全文：https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm

⁶ 全文：https://www.gov.cn/xinwen/2021-06/11/content_5616919.htm

⁷ 全文：https://www.gov.cn/xinwen/2021-01/23/content_5582030.htm

⁸ 《網絡安全法》第五十九條。

⁹ 見《網絡安全法》第六十八條。

¹⁰ 包括《網絡安全法》第六十四條及第六十六條。

¹¹ 見《行政處罰法》第三十二條及第三十三條。

¹² 全文：http://big5.www.gov.cn/gate/big5/www.gov.cn/yaowen/liebiao/202503/content_7013545.htm

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Human Resource Management 

Since job applicants, current and former employees may request access to their personal data kept by organisations from time to time, employers or human resource management professionals have to ensure compliance with the requirements of the PDPO when they collect and handle data of their employees. On the other hand, employers should meet public expectations to constantly protect and respect their employees’ personal data privacy. This workshop enables participants to learn how to handle different scenarios and strengthen their knowledge of data protection in human resource management.

Date: 4 June 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Human resource officers, data protection officers, compliance officers, solicitors, administration managers, recruitment agents

Professional Workshop on Data Protection and Data Access Request 

Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers for copies of their previous appraisal reports; patients may request for copies of their medical records, etc. Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations.

This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR. 

Date: 11 June 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, data protection officers, administration managers, human resource officers, customer services personnel

Professional Workshop on Data Protection in Banking/Financial Services

The application of fintech has developed rapidly in recent years, changing the landscape of the financial world. Practitioners of the banking and financial industry may face different personal data privacy issues in their business operations. To deal with these new challenges, a clear understanding of the requirements under the PDPO is necessary.

This workshop examines the risks of handling personal data in the daily operations of banking and financial services institutions, and provides practical advice on how to deal with these issues effectively. It is particularly suitable for data protection officers, compliance officers, banking/ financial practitioners, company secretaries and solicitors.

Date: 18 June 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face
(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking/financial industry

New Series of Professional Workshops on Data Protection from Jul to Sep 2025:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENT

PCPD Supports the Cyber Security Staff Awareness Recognition Scheme 2025

The PCPD is delighted to be one of the scheme partners of the Cyber Security Staff Awareness Recognition Scheme 2025 (Scheme). Co-organised by Hong Kong Internet Registration Corporation Limited and ISACA China Hong Kong Chapter, the Scheme aims to promote “Human Firewall” concept among the industry by raising cyber security staff awareness on top of technical protection as a second level defence line, and to enhance organisations’ protection level by encouraging the organisations to raise staff awareness by multiple channels. Applications are now open for the upcoming round of the Scheme for 2025.

Please click here for the Scheme details and application.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.